Automatic security action invocation for mobile communications device

ABSTRACT

A mobile communications device, server, and method for providing security on a mobile communications device are described. In accordance with one example embodiment, the mobile communications device comprises: a processor; a communications subsystem connected to the processor operable to exchange signals with a wireless network and with the processor; a storage element connected to the processor and having a plurality of application modules and data stored thereon, the data comprising at least user application data associated with the application modules and service data including data for establishing communications with the wireless network; and a security module operable to detect policy messages received by the mobile communications device, wherein the security module is further operable to perform a security action if a first policy message to enforce a first data protection policy is received and a subsequent policy message to enforce a second data protection policy is not received within a predetermined duration from the time at which the first policy message is received; and wherein the security action comprises erasing or encrypting at least some of the data on the storage element.

RELATED APPLICATION DATA

The present application claims priority to provisional U.S. patentapplication No. 60/747,588, filed May 18, 2006, which is incorporatedherein by reference. The present application is also related tocommonly-owned U.S. applications Ser. Nos. ______ both entitled“AUTOMATIC SECURITY ACTION INVOCATION FOR MOBILE COMMUNICATIONS DEVICE”filed under attorney docket numbers 42783-0529 and 42783-0530 on evendate herewith, which are incorporated by reference.

TECHNICAL FIELD

The present application relates to security for mobile communicationsdevices.

BACKGROUND

As a result of their mobility, mobile communications devices aresometimes lost or stolen. Frequently, the loss of the information storedon a missing device is of greater concern than the loss of the deviceitself. For example, the device may have sensitive and/or confidentialinformation stored on it that could cause harm if acquired by others.Such sensitive information could include, among other things, storedmessages of a confidential nature, and stored communications informationthat would allow a third party to masquerade electronically as theperson to whom the mobile device rightfully belongs.

In some mobile communications networks, once a user discovers that hisor her mobile device is missing, he or she can contact the networkoperator or the system administrator for his or her organization andrequest that a “kill packet” be sent to the missing mobile deviceinstructing the device to wipe sensitive information from its memory.However, such a system requires that the user realize that the mobiledevice is missing, and that the mobile device be in communication withthe network. If the user relies on the device for communication, theymay be unable to report it missing or stolen in a timely manner.

Thus, security for mobile communications devices remains a concern.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram showing a communications system including amobile communications device to which embodiments described herein maybe applied;

FIG. 2 is a flow diagram of a security process according to a firstexample embodiment;

FIG. 3 is a flow diagram showing a security sub-process that can work inconjunction with the security process of FIG. 2;

FIG. 4 is a flow diagram showing a yet further security sub-process thatcan work in conjunction with the security process of FIG. 2;

FIG. 5 is a flow diagram showing another example embodiment of asecurity process that can be applied to the device of FIG. 1;

FIG. 6 is a flow diagram showing yet another example embodiment of asecurity process that can be applied to the device of FIG. 1;

FIG. 7 is a flow diagram showing another security sub-process that canwork in conjunction with other security processes described herein; and

FIG. 8 is a block diagram showing a mobile device server to whichembodiments described herein may be applied.

It will be noted that throughout the drawings similar features areidentified by the same reference numerals.

DETAILED DESCRIPTION

In accordance with one example embodiment of the present application,there is provided a mobile communications device, comprising: aprocessor; a communications subsystem connected to the processoroperable to exchange signals with a wireless network and with theprocessor; a storage element connected to the processor and having aplurality of application modules and data stored thereon, the datacomprising at least user application data associated with theapplication modules and service data including data for establishingcommunications with the wireless network; and a security module operableto detect policy messages received by the mobile communications device;wherein the security module is further operable to perform a securityaction if a first policy message to enforce a first data protectionpolicy is received and a subsequent policy message to enforce a seconddata protection policy is not received within a predetermined durationfrom a time at which the first policy message is received; and whereinthe security action comprises erasing or encrypting at least some of thedata on the storage element.

In accordance with another example embodiment of the presentapplication, there is provided a mobile communications device,comprising: a processor; a communications subsystem connected to theprocessor operable to exchange signals with a wireless network and withthe processor; a storage element connected to the processor and having aplurality of application modules and data stored thereon, the datacomprising at least user application data associated with theapplication modules and service data including data for establishingcommunications with the wireless network; and a security module operableto determine if a battery level falls below a predetermined thresholdand perform a security action comprising erasing or encrypting at leastsome of the data on the storage element if the battery power falls belowthe predetermined threshold.

In accordance with a further example embodiment of the presentapplication, there is provided a mobile communications device,comprising: a processor; a communications subsystem connected to theprocessor operable to exchange signals with a wireless network and withthe processor; a storage element connected to the processor and having aplurality of application modules and data stored thereon, the datacomprising at least user application data associated with theapplication modules and service data including data for establishingcommunications with the wireless network; and a security module operableto detect a locked state of the mobile communications device andinitiate a lockout data protection timer for a predetermined durationupon detection of the locked state; and wherein the security module isoperable to, after the lockout data protection timer has been initiated,detect if a password shared by the user and the mobile communicationsdevice is entered through a user input device within the predeterminedduration of the lockout data protection timer; wherein the securitymodule is operable to terminate the lockout data protection timer ifentry of the password is detected within the predetermined duration; andwherein the security module is operable to perform a security actioncomprising erasing or encrypting at least some of the data on thestorage element if entry of the password is not detected within thepredetermined duration.

In accordance with a further example embodiment of the presentapplication, there is provided a mobile communications device,comprising: a processor; a communications subsystem connected to theprocessor operable to exchange signals with a wireless network and withthe processor; a storage element connected to the processor and having aplurality of application modules and data stored thereon, the datacomprising at least user application data associated with theapplication modules and service data including data for establishingcommunications with the wireless network; and a security module operableto detect if a delayed data protection initiate command is received bythe mobile communications device; wherein the security module isoperable to initiate a delayed data protection timer for a firstpredetermined duration provided in the delayed data protection initiatecommand if the delayed data protection initiate command is received;wherein the security module is operable to, after the delayed dataprotection timer has been initiated, detect: (i) entry of a passwordshared by the user and the mobile communications device through a userinput device within the first predetermined duration of the delayed dataprotection timer; (ii) receipt by the mobile communications device of aterminate command; or (iii) receipt by the mobile communications deviceof a delay command; wherein the security module is operable to terminatethe delayed data protection timer if entry of the password or receipt ofthe terminate command is detected within the first predeterminedduration; wherein the security module is operable to reset the delayeddata protection timer for a second predetermined duration provided inthe delay command if receipt of a delay command is detected within thefirst predetermined duration; and wherein the security module isoperable to perform a security action comprising erasing or encryptingat least some of the data on the storage element if entry of thepassword, receipt of the terminate command, or receipt of a delaycommand is not detected within the first predetermined duration.

In accordance with a further example embodiment of the presentapplication, there is provided a method for providing security on amobile communications device, the mobile communications device beingconfigured to communicate with a wireless communications network andincluding a storage element having data stored thereon, the methodcomprising the acts of: monitoring to detect policy messages received bythe mobile communications device; and if a first policy message toenforce a first data protection policy is received and a subsequentpolicy message to enforce a second data protection policy is notreceived within a predetermined duration from a time at which the firstpolicy message is received, performing a security action comprisingerasing or encrypting at least some of the data on the storage element.

In accordance with a further example embodiment of the presentapplication, there is provided a method for providing security on amobile communications device, the mobile communications device beingconfigured to communicate with a wireless communications network andincluding a storage element having data stored thereon, the methodcomprising the acts of: monitoring to determine if a battery level fallsbelow a predetermined threshold, and if the battery power falls belowthe predetermined threshold, performing a security action comprisingerasing or encrypting at least some of the data on the storage element.

In accordance with a further example embodiment of the presentapplication, there is provided a method for providing security on amobile communications device, the mobile communications device beingconfigured to communicate with a wireless communications network andincluding a storage element having data stored thereon, the methodcomprising the acts of: monitoring to detect for the locked state of themobile communications device and initiating a lockout data protectiontimer for a predetermined duration upon detection of the locked state;and monitoring, after the lockout data protection timer has beeninitiated, to detect if a password shared by the user and the mobilecommunications device is entered through the user input device withinthe predetermined duration of the lockout data protection timer; ifentry of the password is detected within the predetermined duration,terminating the lockout data protection timer; and if entry of thepassword is not detected within the predetermined duration, performing asecurity action comprising erasing or encrypting at least some of thedata on the storage element.

In accordance with a further example embodiment of the presentapplication, there is provided a method for providing security on amobile communications device, the mobile communications device beingconfigured to communicate with a wireless communications network andincluding a storage element having data stored thereon, the methodcomprising the acts of: monitoring to detect if a delayed dataprotection initiate command is received by the mobile communicationsdevice, and if a delayed data protection initiate command is received,initiating a delayed data protection timer for a first predeterminedduration provided in the delayed data protection initiate command; andmonitoring, after the delayed data protection timer has been initiated,to detect for: (i) entry of a password shared by the user and the mobilecommunications device through the user input device within the firstpredetermined duration of the delayed data protection timer; (ii)receipt by the mobile communications device of a terminate command; or(iii) receipt by the mobile communications device of a delay command; ifentry of the password or receipt of the terminate command is detectedwithin the first predetermined duration, terminating the delayed dataprotection timer; if receipt of a delay command is detected within thefirst predetermined duration, resetting the delayed data protectiontimer for a second predetermined duration provided in the delay command;and if entry of the password, receipt of the terminate command, orreceipt of a delay command is not detected within the firstpredetermined duration, performing a security action comprising erasingor encrypting at least some of the data on the storage element.

In accordance with a further example embodiment of the presentapplication, there is provided a server for providing security on atleast one mobile communications device, the server being configured tocommunicate with a plurality of mobile communications devices over awireless network, the server comprising: a processor; a communicationssubsystem connected to the processor for exchanging signals with thewireless network and with the processor; and a security module forsending policy messages to one or more of the mobile communicationsdevices in the plurality of mobile communications devices associatedwith the server at predetermined intervals in accordance with apredetermined frequency, the policy messages including instructions forexecution by the one or more of the devices to enforce or terminate adata protection policy.

In accordance with a further example embodiment of the presentapplication, there is provided a communications system for providingsecurity on a mobile communications device, comprising:

one or more mobile communications devices, each comprising: a processor;a communications subsystem connected to the processor operable toexchange signals with a wireless network and with the processor; astorage element connected to the processor and having a plurality ofapplication modules and data stored thereon, the data comprising atleast user application data associated with the application modules andservice data including data for establishing communications with thewireless network; and a security module operable to detect policymessages received by the mobile communications device; wherein thesecurity module is further operable to perform a security action if afirst policy message to enforce a first data protection policy isreceived and a subsequent policy message to enforce a second dataprotection policy is not received within a predetermined duration from atime at which the first policy message is received; and wherein thesecurity action comprises erasing or encrypting at least some of thedata on the storage element; and

a server comprising: a processor; a communications subsystem connectedto the processor for exchanging signals with the wireless network andwith the processor; and a security module for sending policy messages tothe one or more mobile communications devices at predetermined intervalsin accordance with a predetermined frequency, the policy messagesincluding instructions for execution by the one or more of the mobilecommunications devices to enforce or terminate a data protection policy.

In accordance with a further example embodiment of the presentapplication, there is provided a computer program product comprising amachine-readable medium tangibly embodying instructions executable on amobile communications device for providing security on the mobilecommunications device, the machine-readable instructions comprising:code for monitoring to detect policy messages received by the mobilecommunications device; and code for performing a security actioncomprising erasing or encrypting at least some of the data on thestorage element if a first policy message to enforce a first dataprotection is received and a subsequent policy message to enforce asecond data protection policy is not received within a predeterminedduration from a time at which the first policy message is received.

Referring now to the drawings, FIG. 1 is a block diagram of a mobilecommunication device 10 to which example embodiments described hereincan be applied. The mobile communication device 10 is a two-waycommunication device having at least data and possibly also voicecommunication capabilities and the capability to communicate with othercomputer systems on the Internet. Depending on the functionalityprovided by the device, in various embodiments the device may be a datacommunication device, a multiple-mode communication device configuredfor both data and voice communication, a mobile telephone, a PDA(personal digital assistant) enabled for wireless communication, or acomputer system with a wireless modem, among other things.

The mobile device 10 includes a wireless communication subsystem 11 forexchanging radio frequency signals with a wireless network 50. Thecommunication subsystem 11 includes a receiver, a transmitter, andassociated components, such as one or more antenna elements, localoscillators (LOs), and digital signal processor (DSP). As will beapparent to those skilled in the field of communications, the particulardesign of the communication subsystem 11 depends on the wireless network50 in which mobile device 10 is intended to operate.

The mobile device 10 may send and receive communication signals over thewireless network 50 after the required network registration oractivation procedures have been completed. Signals received by theantenna through the wireless network 50 are input to the receiver, whichmay perform such common receiver functions as signal amplification,frequency down conversion, filtering, channel selection, and the like,and analog-to-digital (A/D) conversion. A/D conversion of a receivedsignal allows more complex communication functions such as demodulationand decoding to be performed in the DSP. In a similar manner, signals tobe transmitted are processed, including modulation and encoding, forexample, by DSP. These DSP-processed signals are input to thetransmitter for digital-to-analog (D/A) conversion, frequency upconversion, filtering, amplification and transmission over the wirelessnetwork 50 via the antenna. The DSP not only processes communicationsignals, but also provides for receiver and transmitter control. Forexample, the gains applied to communication signals in the receiver andthe transmitter may be adaptively controlled through automatic gaincontrol algorithms implemented in the DSP.

The mobile device 10 includes a controller in the form of at least onemicroprocessor 38 that controls the overall operation of the mobiledevice 10. The microprocessor 38 interacts with communications subsystem11 and also interacts with further device subsystems such as the display22, flash memory 24, random access memory (RAM) 26, auxiliaryinput/output (I/O) subsystems 28, serial port 30, keyboard or keypad 32,speaker 34, microphone 36, a short-range communications subsystem 40, aclickable thumbwheel (trackwheel) or trackball (not shown), and anyother device subsystems generally designated as 42.

Some of the subsystems shown in FIG. 1 perform communication-relatedfunctions, whereas other subsystems may provide “resident” or on-devicefunctions. Notably, some subsystems, such as keyboard 32 and display 22for example, may be used for both communication-related functions, suchas entering a text message for transmission over a communicationnetwork, and device-resident functions such as a calculator or tasklist.

Operating system software 54 and various software applications 58 usedby the microprocessor 38 are, in one example embodiment, stored in apersistent store such as flash memory 24 or similar storage element.Those skilled in the art will appreciate that the operating system 54,specific device applications 58, or parts thereof, may be temporarilyloaded into a volatile store such as RAM 26. It is contemplated thatreceived communication signals may also be stored to RAM 26.

The microprocessor 38, in addition to its operating system functions,enables execution of software applications 58 on the device. Apredetermined set of applications 58 which control basic deviceoperations, including at least data and voice communication applicationsfor example, will normally be installed on the mobile device 10 duringmanufacture. Further applications may also be loaded onto the mobiledevice 10 through the network 50, an auxiliary I/O subsystem 28, serialport 30, short-range communications subsystem 40 or any other suitablesubsystem 42, and installed by a user in the RAM 26 or a non-volatilestore for execution by the microprocessor 38. Such flexibility inapplication installation increases the functionality of the device andmay provide enhanced on-device functions, communication-relatedfunctions, or both. For example, secure communication applications mayenable electronic commerce functions and other such financialtransactions to be performed using the mobile device 10.

In a data communication mode, a received signal such as a text messageor web page download will be processed by the communication subsystem 11and input to the microprocessor 38, which will further process thereceived signal for output to the display 22, or alternatively to anauxiliary I/O device 28. A user of mobile device 10 may also composedata items such as email messages for example, using the keyboard 32 inconjunction with the display 22 and possibly an auxiliary I/O device 28.Such composed items may then be transmitted over a communication networkthrough the communication subsystem 11.

The serial port 30 (which may for example be a Universal Serial Bus(USB) port) in FIG. 1 would normally be implemented in a personaldigital assistant (PDA)-type communication device for whichsynchronization with a user's desktop computer (not shown) may bedesirable, but is an optional device component. Such a port 30 wouldenable a user to set preferences through an external device or softwareapplication and would extend the capabilities of the device by providingfor information or software downloads to the mobile device 10 other thanthrough a wireless communication network.

A short-range communications subsystem 40 is a further component whichmay provide for communication between the mobile device 10 and differentsystems or devices, which need not necessarily be similar devices. Forexample, the subsystem 40 may include an infrared device and associatedcircuits and components or a Bluetooth™ communication module to providefor communication with similarly enabled systems and devices. The mobiledevice 10 may be a handheld device. The mobile device 10 includes abattery 12 as a power source, which will typically be a rechargeablebattery that may be charged, for example, through charging circuitrycoupled to the USB port 30

Wireless communication network 50 is, in an example embodiment, awireless wide area packet data network, which provides radio coverage tomobile devices 10. Wireless communication network 50 may also be a voiceand data network such as GSM (Global System for Mobile Communication)and GPRS (General Packet Radio System), CDMA (Code Division MultipleAccess), or various other third generation networks such as EDGE(Enhanced Data rates for GSM Evolution) or UMTS (Universal MobileTelecommunications Systems). In some example embodiments, network 50 isa wireless local area network (WLAN), such as for example a networkcompliant with one or more of the IEEE 802.11 family of standards. Insome example embodiments, the mobile device 10 is configured tocommunicate in both data and voice modes over both wireless WAN and WLANnetworks and to roam between such networks.

In an example embodiment, wireless gateway 62 is adapted to route datapackets received from a mobile communication device 10 over wirelessmobile network 50 to destination electronic mail messaging or Internetaccess server 68 through a mobile device server 66, and to route datapackets received from the server 68 through the mobile device server 66over the wireless mobile network 50 to a destination mobilecommunications device. Wireless gateway 62 forms a connection or bridgebetween the servers and wireless networks associated with wirelesse-mail communication and/or Internet access. In an example embodiment,wireless gateway 62 is coupled between wireless network 50 and ahardwired data network (for example an enterprise network 70 that islocated behind a firewall) that includes mobile device server 66 andelectronic mail server 68. The wireless gateway 62, in exampleembodiments, stores system configuration information, system state data,and tables that store mobile device 10 information. The mobile deviceserver 66, in example embodiments, is a server located in an enterprisenetwork 70 behind a firewall and connected to the wireless gateway 62through the Internet or another connection. Mobile device server 66 isconfigured as an enterprise's interface between the enterprise network70 and the wireless network 50. Typically, a plurality of mobile devices10 will be associated with a mobile device server 66 that is part of theenterprise network 70 managed by an organization that the users of suchmobile devices 10 are part of. Mail server 68 is coupled to mobiledevice server 66 and, in one embodiment, is a conventional electronicmail server. In another embodiment, the mobile device server 66 is acomponent of the mail server 68. In some embodiments, the mobile deviceserver 66 may be operated by a wireless carrier that operates wirelessnetwork 50.

The mobile device 10 stores data 60 in an erasable persistent memory,which in one example embodiment is flash memory 24. In variousembodiments, the data 60 includes service data 61 comprising informationrequired by the mobile device 10 to establish and maintaincommunications with the wireless communications network 50 (wirelessnetwork service data) and the wireless gateway 62 (gateway servicedata). The data 60 may also include other data 64, user application data63 such as email messages, address book and contact information,calendar and schedule information, notepad documents, image files, andother commonly stored user information stored on the mobile device 10 byits user. The data 60 may also include data required for thecommunications layers managed by the mobile device server 66 and servers68. The data 60 often includes critical data that the user of mobiledevice 10 (or others) does not want to be accessed by an unauthorizedparty.

In some examples, flash memory 24 may include both a memory componentthat is permanently part of the mobile device 10, as well a removablememory including for example memory on a Subscriber Identity Module(SIM) card. Some of the data 60 may be stored on the SIM card, and somestored on permanent flash memory.

In an example embodiment, mobile device server 66 is configured toperiodically transmit IT (Information Technology) data protection policymessages 72 (sometimes referred to as merely policy messages 72) throughthe wireless gateway 62 and wireless network 50 to its associated mobiledevices 10. Typically, mobiles devices 10 will have a number ofsettings, including security settings that are governed by a dataprotection policy. The periodic transmission of data protection policymessages from the mobile device server 66 to addressed mobile device 10that are associated with the mobile device server 66 assists inensuring, among other things, that each of the mobile devices 10 is keptup to date with the latest data protection policy. The content andfrequency of policy messages 72 can be set by an authorized ITadministrator of enterprise network 70.

In order to provide security for a lost or stolen mobile device 10, themobile device 10 includes a security module 56, which in one exampleembodiment is implemented by a software component that is part of theoperating system 54. In other embodiments, the security module 56 is, oris part of, a specialized software application 58 separate from theoperating system 54. The security module 56 includes instructions forconfiguring the microprocessor 38 to cause the mobile device 10 to carryout at least parts of the security processes that are described below.The process 200 shown in FIG. 2 is intended to address a securitysituation in which a user's mobile device 10 has been lost or stolen andis no longer able to receive messages from the mobile device server 66and hence cannot receive a “Kill Packet” or “Device Wipe” command.Generally, in the security process 200, a data protection securityaction (for example, a device wipe) is taken on the mobile device 10 ifa specified amount of time passes without the mobile device 10 receivinga policy message 72 from its associated mobile device server 66. Thus,if the mobile device 10 is out of radio coverage for too long a timeperiod, it will be wiped. Also, even if the device is in radio coverageof a wireless network, but that particular network is not a networkthrough which the mobile device 10 can receive data protection policypackets from the mobile device server 66, then the mobile device 10 willbe wiped—for example, if the mobile device 10 moves out of coverage its“home” wireless network 50 into an area of alternative network coveragewhere the operator of the “home” wireless network 50 does haveappropriate coverage agreements in place, then the mobile device 10 willbe wiped after a predetermined duration. Additionally, as will beexplained in greater detail below, in some embodiments, the mobiledevice 10 will be wiped if it is turned off for too long and thus doesnot receive an updated policy message 72 due to being in the “off”state. Alternatively, in other embodiments rather than wiping the device(i.e., erasing data from the mobile device 10) data 60 on the mobiledevice 10 may be encrypted.

Prior to explaining the operation of a particular mobile device 10 ingreater detail in the context of FIG. 2, the configuration of the mobiledevice server 66 will first be discussed. In an example embodiment, anIT manager or administrator makes a decision to enable auto-wipesecurity for at least some of the mobile devices 10 that are associatedwith the mobile device server 66, and uses an IT data protection policyeditor that is coupled to the mobile device server 66 to set a dataprotection policy for the affected mobile devices 10 to automaticallywipe the mobile device 10 when the data protection policy is out ofdate. As part of selecting the auto-wipe policy, the IT administratorcan set both the frequency at which policy messages 72 are sent, and theduration of time that an auto-wipe should occur after if an updatedpolicy message 72 is not received at a mobile device 10 (i.e., theduration of a timer(s), as described in more detail below). In someembodiments, these values may be set at the same time or at differenttimes (for example, via separate user interface dialogues or menus).This allows the frequency at which policy messages 72 are sent and theduration of timers to be configured independently. In some embodiments,the duration of the timer may be configured to be same as the frequencyat which policy messages 72 are sent, or may be configured to bedifferent. Setting the frequency of policy messages 72 to be the same asthe duration of the timer (for example, setting the policy messages 72to be sent every 5 minutes and setting the timer duration to 5 minutes)provides a configuration in which the mobile device 10 cannot miss asingle policy message 72 without performing a data protection securityaction (e.g., a device wipe). This configuration may not be advantageousfor users that may be out of coverage periodically, depending on thespecific timer duration/frequency of policy messages 72. For such users,specifying a timer duration which is greater than the frequency ofpolicy messages 72 may allow one or more policy messages 72 to be missedwithout performing a data protection security action (depending on thespecific values assigned to the frequency of the policy messages 72 andthe timer duration), if this capability is desired. By way ofillustrative example only, the auto-wipe countdown timer starting timeduration could be 24 hours, with the standard duration between policymessages 72 being set at 8 hours, with the result that missing 3consecutive policy messages 72 will result in a device wipe.

In some embodiments, the IT administrator has the option of setting thedata protection policy globally for all mobile devices 10 associatedwith the mobile device server 66, or for groups or classes of mobiledevices 10 associated with the mobile device server 66, or for one ormore individual mobile devices 10 associated with the mobile deviceserver 66.

Referring now to FIG. 8, an example embodiment of the mobile deviceserver 66 will be briefly described. The mobile device server 66 may bea computer implementing a server application(s) configured forperforming the security processes and functions described herein. Themobile device server 66 in this example embodiment comprises a processor802 (i.e., microprocessor) for controlling its operation, acommunications subsystem 804 connected to the processor 802 forcommunicating with the wireless network 50 via the wireless gateway 62and with the processor 802, a display 805 such as a monitor, one or moreuser input devices 806 such as a keyboard and mouse connected to theprocessor 802 for sending user input signals to the processor 802 inresponse to user inputs, and a memory or storage element 808 such as ahard disk drive (HDD), RAM, ROM and/or other suitable memory connectedto the processor 802, and other suitable input and output devices (notshown) as desired or required. Operating system software 810, softwareapplications 812, and data 814 used by the processor 802 are stored inthe memory 808. The applications 812 and data 814 configure theoperation of the mobile device server 66. Other features of the mobiledevice server 66 for implementing the security processes and functionsdescribed herein will be appreciated by persons ordinarily skilled inthe art.

The mobile device server 66 also includes a security module 818 which,in this example embodiment, is implemented by one or more softwarecomponents or modules stored in memory 808. The security module 818configures the processor 802 to carry out at least parts of the securityprocesses of the mobile device server 66 that are described herein. Inone example embodiment, the security module 818 is configured forsending policy messages 72 to one or more of the mobile devices 10 inthe plurality of mobile communications devices 10 associated with themobile device server 66 at predetermined intervals in accordance with apredetermined frequency, the policy messages including instructions forexecution by the one or more of the mobile devices 10 to enforce (i.e.,initiate, modify, maintain) or terminate a data protection policy, asexplained in more detail herein.

Once the data protection policy associated with one or more mobiledevices 10 is set to specify an auto-wipe policy, a corresponding policymessage 72 specifying the auto-wipe policy is pushed through wirelessgateway 62 and wireless network 50 to the affected mobile devices 10. Insome embodiments, the policy message 72 containing an auto-wipe policyis sent immediately upon the policy being changed. In other embodiments,the revised data protection policy is sent at the next regularlyscheduled interval via a policy message 72. In an example embodiment, solong as the auto-wipe policy is in effect, each of the policy messages72 that are sent to the affected mobile device 10 will includeconfirmation that the auto-wipe policy is in effect. In the event thatthe administrator chooses to rescind the auto-wipe policy, the nextpolicy message 72 that is sent out from the mobile device server 66 willomit the auto-wipe policy confirmation.

Turning again to FIG. 2, as indicated in step 202, the mobile device 10is configured to detect if and when a policy message 72 that specifiesan auto-wipe policy is received by the mobile device 10. Next in step204, if a policy message 72 specifying an auto-wipe policy is received,the mobile device 10 sets an internal auto-wipe timer to a predeterminedtime duration, and starts counting down from the predetermined timeduration. In an example embodiment, the predetermined time duration tobe used for the auto-wipe countdown timer is set in the received policymessage 72 (and thus set by the IT administrator through mobile deviceserver 66, as indicated above). In other example embodiments, thecountdown auto-wipe timer duration can be set directly at the mobiledevice 10 by a user thereof (although caution may need to be exercisedas user's often won't have an in depth knowledge of how often policymessages 72 are actually sent). In an example embodiment, the countdownauto-wipe timer tracks absolute time relative to when the policy message72 is received such that any attempt by a user of the device to alterthe time by re-setting the clock time and date on the device (either ina conscious attempt to thwart the pending device wipe, or in an innocentattempt to adjust to a different time zone) does not affect the totalduration of time allocated to the auto-wipe countdown timer.

As indicated in steps 206 and 208, once the auto-wipe timer has been setand begins to countdown, the mobile device 10 monitors for the earliestof the following two events to occur: (a) for a new policy message 72 tobe received (step 206); or (b) for the auto-wipe timer to time out (step208). In the event that the auto-wipe countdown timer times out before anew data protection policy message 72 is received by the mobile device10, then a device wipe is automatically performed (step 212) (describedin greater detail below). In the event that a new data protection policymessage 72 is received before time out of the auto-wipe timer, then thetimer countdown ends (step 207), and a check is done to see if the newlyreceived policy message 72 also specifies an auto-wipe policy (step202). If so, the auto-wipe timer is reset to the time specified in thenewly received policy message 72, and the countdown process beginsagain.

Turing again to step 212 of FIG. 2, a device wipe includes permanentlyerasing of all user data 60 stored on the permanent storage (for exampleflash memory 24) and transient storage (for example RAM 26) of themobile device 10. In at least some embodiments, erasing the dataincludes ensuring that at least the relevant memory locations areoverwritten with meaningless bits (for example all zeros or all ones).Thus, in a device wipe, in various embodiments, information required bythe mobile device 10 to function as a communications device is deleted(thereby disabling the mobile device 10 as a communications device—as apossible exception, the ability of the mobile device 10 to be used foremergency calls such as 911 calls may be maintained), and anyinformation such as stored email and other messages, address book lists,task items, etc. that may be confidential to the user is deleted. Insome example embodiments, a device wipe can include erasing onlyselected classes of data 60 (for example erasing of all service data 61,but not user application data 63, or alternatively, erasing all userapplication data 63 but not service data 61).

With reference to FIG. 3, in at least one example embodiment, thesecurity module 56 is also configured to wipe the mobile device 10 whenit is turned off and missing data protection policy messages 72.Typically, when the mobile device is in an off state its draw on battery12 is greatly reduced and substantially all of the device's functionsare suspended (for example, its display 22 and wireless communicationssubsystem 11 are shut down). Some limited device functions continue evenwhen the mobile device 10 is powered off, for example, in an off device,an internal clock continues to run and the device monitors foractivation of an “ON” button (so long as the battery has sufficientpower). When the mobile device 10 is powered off, it does not have theability to receive messages (including policy messages 72) through thewireless communications subsystem 11. In one example embodiment, themobile device 10 is configured so that turning the device off will notthwart an impending device wipe. As indicated in process 245 of FIG. 3,the security module 56 detects if shutdown of the mobile device isinitiated (for example, through user selection of a “Turn Power Off”option) while the auto-wipe countdown timer from process 200 is running(step 250). If the device power off is initiated while the auto-wipetimer is running, then an auto-on time is set corresponding to the timeremaining on the auto-wipe countdown timer (step 252). If the device isstill turned off when the auto-on time is reached, the deviceautomatically powers on and performs the device wipe (step 254). Inexample embodiments, sub-process 245 can be enabled and disabled throughpolicy messages 72.

Thus it will be appreciated that the security process of FIG. 2 is basedon an underlying assumption that if a mobile device 10 cannot receive apolicy message 72, it cannot receive a kill packet, and accordingly dataon the device is potentially at risk. This risk is mitigated by wipingthe data automatically after a specified amount of time passes withoutthe mobile device receiving a policy message 72. In at least someexample embodiments, as indicated in FIG. 3, the mobile device 10 willexecute the device wipe even if it is turned off prior to the expiry ofthe specified time duration.

The security process of FIG. 2 (either on its own or as combined withthe process of FIG. 3) can be varied in example embodiments to reducethe possibility that a device wipe that should otherwise have occurredwill not occur due to the mobile device 10 turning off due to adischarged battery 12. In this regard, with reference to FIG. 4, asub-process 265 can be performed as part of process 200 wherein whilethe auto-wipe countdown timer of process 200 is running, the securitymodule 200 monitors to determine if the battery power 12 falls below aparticular threshold (step 270), and if the battery power does fallbelow the predetermined threshold, then a device wipe is performedimmediately (step 272). In at least one example embodiment, the criticallow battery threshold is the level at which the mobile device willautomatically turn off its RF radio (namely when the mobile device 10will turn off the transmitter and receiver circuitry of the wirelesscommunications system 11)—the turning off of the radio is a relevantevent as the mobile device 10 can no longer receive a kill packet whenits radio is off. In an alternate embodiment, the critical low batterythreshold is a predetermined (or dynamically determined) level at whichthe mobile device 10 has just enough battery power remaining to executethe wipe process. Thus, the sub-process 265 in combination with process200 provides a security environment in which a mobile device that isconfigured to automatically perform a device wipe if a new policymessage is not received within a predetermined time duration willperform a pre-emptive device wipe prior to waiting for the entirety ofthe predetermined time duration if in the meantime battery power goestoo low. Such a configuration recognizes that attempting to wait theentire duration of the countdown auto-wipe timer will be ineffective ifthe battery will not contain enough power to facilitate the wipe at thefuture time. In example embodiments, sub-process 265 can be enabled anddisabled through policy messages 72.

In some embodiments, the sub-process 265 may be implementedindependently of the process 200. In such embodiments, a separate ITdata protection policy rule may be implemented indicating that thedevice should wipe itself when the battery level falls below apredetermined threshold regardless of whether an auto-wipe countdowntimer is running.

Another example of a security process that can be applied to mobiledevice 10 according to a further embodiment will now be described withreference to FIG. 5. The security process 500 of FIG. 5 permits a user'sdevice to be wiped when it has been lost or stolen but has not beenreported as such. In such a situation, the IT administrator will notknow that a kill packet should be sent, and furthermore, the device maystill be receiving policy messages 72 and accordingly a device wipethrough the process 200 will not necessarily be triggered. In an exampleembodiment, the security module 56 of mobile device 10 is configured toplace the mobile device 10 into standby locked state upon the occurrenceof certain events. While the mobile device 10 is in a locked mode, thedevice user is prevented from using substantially all of thefunctionality of the device, including accessing any data stored on themobile device 10. In order to get the mobile device out of its lockedstate, the user must enter a password or other shared secret (forexample through a keyboard of the device). The events that triggerplacing the mobile device 10 into a locked state may include, forexample, user selection of a device lock option; user inactivity for apredetermined duration; lack of wireless network coverage or activityfor a predetermined duration or holstering or closing of the mobiledevice 10.

It will be appreciated that the trigger condition for initiating alocked state of the mobile device 10 may be one of: user inputinstructing the mobile communications device 10 to initiate the lockedstate; the occurrence of a periodic interval or the expiry of apredetermined duration (for example, a long-term timeout may beimplemented by the IT administrator which causes the mobilecommunications device 10 to lock periodically after a predeterminedduration from a trigger condition (such as the unlocking of the devicefrom a previous locked state) regardless of the user activity or networkcoverage at the time); user inactivity for a predetermined duration (forexample, as measured by a lack of user input via the user input devices28, 32); loss of communication with the wireless network 50; andholstering of the mobile communications device 10 if the device is aholsterable device or closing of the mobile communications device 10 ifthe device is a flip-style device.

The trigger condition may also include a variance from a predeterminedthreshold in a communications characteristic (such as a messagingtraffic pattern between the mobile communications device 10 and thewireless network 50) between the mobile communications device 10 and thewireless network 50, a lack of communication by the mobilecommunications device 10 with the wireless network 50 for apredetermined duration of time, and a variance in the use of the inputdevices 28, 32 from a predetermined threshold.

In the security process 500 of FIG. 5, the data protection policyapplied mobile device 10 has been configured to specify that a devicewipe automatically be performed if the mobile device 10 remains in alocked state for more than a predetermined time duration. In oneembodiment, the data protection policy specifying such an auto-wipesecurity mode can be set at the enterprise network 70 by an ITadministrator and provided to the mobile device 10 through a policymessage 72 sent by the mobile device server 66 through the wirelessnetwork 50. In a similar manner, the auto-wipe security process 500 canbe disabled by an IT administrator at the enterprise network 70.

In the case where the security process 500 is enabled by the dataprotection policy applied to the mobile device 10, then an auto-wipecountdown timer is set to a specified time (which could be for examplebe specified in a message previously received from mobile device server66) as soon as the mobile device 10 is placed into a locked state (step504). Similar to the countdown timer used in security process 200, thetimer used in process 500 is also based on absolute time so that changesto the clock time or calendar date on the mobile device 10 do not affectthe countdown timer. Once the countdown timer is running, the mobiledevice 10 monitors to determine if the user authentication occurs (step506) prior to the expiry of the auto-wipe countdown timer (step 508). Ifthe user authenticates within the requisite time period (userauthentication including entry of a password or shared secret to unlockthe mobile device 10), then the countdown timer is stopped (step 512).However, if the countdown timer expires before user authenticationoccurs, then a device wipe occurs (step 510) to mitigate againstunauthorized access to data on the device.

It will be appreciated that the situation could arise where a policymessage 72 enabling the auto-wipe process of FIG. 5 is received from themobile device server 66 while the mobile device 10 is already in alocked state. In such a situation, the security module 56 is configuredin an example embodiment to immediately set the countdown timer to avalue specified in the received policy message 72 and begin process 500.Similarly, a policy message 72 may be received at the mobile device 10disabling the auto-wipe process 500 of FIG. 5 while the device is lockedand the countdown timer is running. In such a situation, the process 500is terminated without requiring the user entry of the shared secret.

The sub-process 245 discussed above (auto-on and device wipe at expiryof timeout period) and the sub-process 265 (device-wipe when battery lowand auto-wipe timer is running) can be run in combination with securityprocess 500 to further enhance security. Additionally, the securityprocesses 200 and 500 can both be applied simultaneously to a mobiledevice 10, with different countdown timers being used for each.

As previously noted, in the example security processes 200 and 500described above, the optional sub-process 265 can be used to ensure thatthe mobile device 10 is wiped if the device battery is sufficientlydischarged at the same time that an auto-wipe countdown timer isrunning. In at least some example embodiments, the security module 56can be configured to perform a device wipe any time that the batterycharge level falls below a threshold, for example, the threshold atwhich the device radio (wireless communications subsystem 11) getsautomatically turned off, regardless of whether any auto-wipe countdowntimer is running or not. Thus referring to FIG. 4, step 270 would bemodified so that the only relevant determination to be made is if thebattery power is below the threshold, and if so, then a device wipe isautomatically performed (step 272). In example embodiments, the modified“wipe device when battery low” process 265 can be enabled and disabledthrough policy messages 72 received at a mobile device 10.

Another example embodiment will now be described. As noted above, oneapproach to mobile device security is for the IT administrator to causethe mobile device server 66 to send a kill packet or device wipe commandto a specific mobile device 10 that the IT administrator has reason tobelieve may be lost or stolen, perhaps due to a notification from thenormal device user that he or she is missing his or her mobile device10. In such situations, the kill packet causes a device wipe immediatelyupon being received by the mobile device 10. However, there may becircumstances where a device user has misplaced his or her device, butthinks that there is a chance that they may recover it, and so thedevice user does not want the device immediately wiped upon advising theIT administrator of the missing device. In this regard, security process600 of FIG. 6 provides a “delayed-wipe process” in which a delayed dataprotection initiate command sent (e.g., device wipe command) from themobile device server 66 includes a specified delay time period (e.g.,timer duration), and upon receiving the delayed data protection initiatecommand, the mobile device 10 starts delayed data protection timer(e.g., auto-wipe countdown timer) configuring the mobile device 10 toperform a security action such as a device wipe if one of the followingevents does not occur prior the expiry of the timer: (i) the device userdoes not unlock the device prior to expiry of the timer; (ii) the mobiledevice 10 does not receive a further message from the mobile deviceserver 66 that either terminates/revokes the delayed data protectiontimer; or (iii) the mobile device 10 does not receive a further messagefrom the mobile device server 66 that extends the duration of timer.

The illustrated embodiment of FIG. 6 in which the security action to beperformed is a device wipe will now be described in more detail. Theprocess 600 commences when an IT administrator causes a delayed devicewipe command to be sent from the mobile device server 66 and the commandis received at the device (step 602). A delayed device wipe command issimilar to a policy message 72 but rather than providing details of anIT data protection policy, the delayed device wipe command instructs themobile device 10 to start a timer upon receipt of the command andprovides information relevant to the timer such as its duration.Typically, the transport and authentication mechanisms for both policymessages 72 and commands are the same, however different transport andauthentication mechanism could be used if desired. After receiving thedelayed device wipe command, the security module 56 of mobile device 10then sets an auto-wipe countdown timer to a time specified in thereceived device wipe command (step 604). Similar to processes 200 and500, the auto-wipe countdown timer of process 600 measures absolute timeso that resetting of the device clock or date has no effect on it. Whilethe auto-wipe countdown timer is running, the security module 56monitors for occurrence of any one of the following three events: (i)user authentication, which occurs when the user enters a password orshared secret to the mobile device 10 (step 606); (ii) receipt by themobile device of a terminate auto-wipe command from the mobile deviceserver 66 (step 608) (useful for example if the device user positivelydetermines that they have left the device in a secure location, but theycannot access it to enter the password); and (iii) receipt by the mobiledevice of a delay auto-wipe command from the mobile device server 66(step 612) (useful for example if the device user is reasonably certain,but not positive, that the device is in a secure location and wants moretime to reach the device). Events (ii) and (iii) give the device userflexibility to contact the IT administrator and arrange for cancellationor variation of the delayed wipe command. In the event that userauthentication (step 606) or receipt of a terminate auto-wipe message(step 608) occurs before expiry of the auto-wipe timer, than thesecurity process 600 is terminated (step 610). In the event of receiptby the mobile device of a delay auto-wipe command from the mobile deviceserver 66 (step 612) prior to expiry of the auto-wipe countdown timerthan the auto-wipe timer is reset to the new value that is specified inthe received command (the auto-wipe timer can be shortened by a similarprocess, if desired, rather than extended). In the event that auto-wipetimer expires prior to the occurrence of one of the above events, then adevice wipe is performed (steps 616 and 618) to erase data 60 anddisable the mobile device 10.

The sub-process 245 discussed above (auto-on and device wipe at expiryof timeout period) and the sub-process 265 (device wipe when battery lowand auto-wipe timer is running) can be run in combination with securityprocess 600 to further enhance security. Additionally, either or both ofthe security processes 200 and 500 can be applied in conjunction withprocess 600 to a mobile device 10, with different countdown timers beingused for each.

FIG. 7 illustrates another security sub-process 700 that can be appliedto the mobile device either on its own, or in combination with any orall of the processes 200, 500 and 600 and other sub-processes describedabove. In sub-process 700, the security module 56 forces the mobiledevice 10 to go into a locked state in the event that the mobile device10 is out of radio coverage for a predetermined time period, regardlessof any current user input activity. As indicated in step 702, thesecurity module 56 is configured to monitor for a lack of radio coveragethrough communications subsystem 11, and when the lack of coverage timeperiod exceeds a set out-of-coverage time threshold, then the mobiledevice 10 is forced into a locked state (step 704) regardless of anyuser interaction with the device at the time. After the device entersthe locked state, an authorized user will have the ability to at leasttemporarily unlock the device upon entry of the correct password orshared secret; however, without the entry of the password or sharedsecret the device will remain locked.

When sub-process 700 is enabled, even if the user successfully unlocksthe device, it will again lock itself if it remains out of radiocoverage for the predetermined out-of-coverage threshold. Securityprocess 700 provides some assurances that when the mobile device 10 isout of radio coverage (and thus unable to receive a kill packet ordevice wipe command) that the device will be in a locked state if it isin unauthorized hands. When combined with security process 500, thesub-process 700 can cause the device lock triggering event for startingthe auto-wipe timer of process 500. In some embodiments, the securitymodule 56 may be configured to perform a long term timeout that willlock the device every N minutes regardless of what the user is doing orwhat the radio coverage for the mobile device 10 is. Sub-process 700 canbe used to effectively shorten the long term timeout period by applyinga shorter timeout threshold when the device is out of radio coverage. Inexample embodiments, the “lock device when out-of coverage” process 700can be enabled and disabled through policy messages 72 received at amobile device 10.

In accordance with another example embodiment, there is provided amobile communications device 10, comprising: a processor for controllingthe operation of the mobile communications device 10; a user inputdevice 28, 32 connected to the processor 38 for sending user inputsignals to the processor 38 in response to user inputs; a communicationssubsystem 11 connected to the processor 38 for exchanging signals with awireless network 50 and with the processor 38; a security module 56associated with the processor 38 for monitoring to detect for a lack ofcommunication through the communications subsystem 11, if the durationof the lack of communication through the communications subsystem 11time period exceeds a predetermined duration, performing a securityaction comprising erasing or encrypting at least some of the data 60 onthe storage element 24, 26. The security module 56 may also initiate alocked state of the mobile communications device 10 if the duration ofthe lack of communication through the communications subsystem 11 timeperiod exceeds a predetermined duration, and perform monitoring, afterthe locked state has been initiated, to detect if a password shared bythe user and the mobile communications device 10 is entered through theuser input device 28, 32, and if entry of the password is detected,terminate the locked state. The security module 56 may be configured toonly perform a security action if the duration of the lack ofcommunication through the communications subsystem 11 time periodexceeds a predetermined duration and the mobile communications device 10remains in a locked state. The monitoring to detect for a lack ofcommunication and/or monitoring to detect if a password shared by theuser and the mobile communications device 10 is entered through the userinput device may be enabled and disabled by respective policy messages72 received on the mobile communications device 10. A related method andserver for sending policy messages 72 to the mobile communicationsdevice 10 is also provided.

It will be appreciated to persons skilled in the art that variousalterations, modifications and variations to the particular embodimentsdescribed herein are possible. For example, although the data protectionsecurity action has been described primarily as the erasure or “wiping”of data 60, it will be appreciated that encryption may be used as analternative to wiping data. In addition, the data 60 which is subject tothe data protection security action may be user application data 63(such as that associated with the application modules 58), service data61 required to establish and maintain communications with the wirelessnetwork 50, service data 61 required to establish and maintaincommunications with the wireless gateway 62, or combinations thereof.The erasure or encryption of data 60 may be performed on some or all ofeach of the above-described data types, or portions thereof. Inaddition, in some embodiment some of the data 60 may be erased and someof the data 60 may be encrypted. The decision between the data 60 whichis erased and the data 60 which is encrypted may be based on the type ofdata. In addition, the security module 56 may be configurable by theuser to erase or encrypt the data 60 on the storage element 24, 26. Inaddition, in some embodiments, where data 60 is erased the dataprotection security action may further comprise overwriting (withmeaningless data/bits, such as ones or zeroes) the portion of thestorage element 24, 26 where the erased data was data 60 was formerlystored.

While the present application is primarily described as a method, aperson of ordinary skill in the art will understand that the presentapplication is also directed to a communications device (such as themobile communications device described above), for carrying out thedisclosed method and including components for performing each describedmethod step, be it by way of hardware components, a computer programmedby appropriate software to enable the practice of the disclosed method,by any combination of the two, or in any other manner. Moreover, anarticle of manufacture for use with the apparatus, such as apre-recorded storage device or other similar computer readable mediumincluding program instructions recorded thereon, or a computer datasignal carrying computer readable program instructions may direct anapparatus to facilitate the practice of the disclosed method. It isunderstood that such apparatus (i.e., a communications device such asthe mobile communications device described above), articles ofmanufacture, and computer data signals also come within the scope of thepresent application. In addition, a communications system comprising amobile data server and a plurality of mobile communication devicesconnected via a wireless communication network, in which the mobile dataserver is configured to implement at least some of the securityprocesses herein described, and in which one or more of the mobilecommunication devices are configured to implement at least some of thesecurity processes herein described, also comes within the scope of thepresent application.

The embodiments of the present application described above are intendedto be examples only. Those of skill in the art may effect alterations,modifications and variations to the particular embodiments withoutdeparting from the intended scope of the present application. Inparticular, features from one or more of the above-described embodimentsmay be selected to create alternate embodiments comprised of asubcombination of features which may not be explicitly described above.In addition, features from one or more of the above-describedembodiments may be selected and combined to create alternate embodimentscomprised of a combination of features which may not be explicitlydescribed above. Features suitable for such combinations andsubcombinations would be readily apparent to persons skilled in the artupon review of the present application as a whole. The subject matterdescribed herein and in the recited claims intends to cover and embraceall suitable changes in technology.

1. A mobile communications device, comprising: a processor; acommunications subsystem connected to the processor operable to exchangesignals with a wireless network and with the processor; a storageelement connected to the processor and having a plurality of applicationmodules and data stored thereon, the data comprising at least userapplication data associated with the application modules and servicedata including data for establishing communications with the wirelessnetwork; and a security module operable to detect policy messagesreceived by the mobile communications device, wherein the securitymodule is further operable to perform a security action if a firstpolicy message to enforce a first data protection policy is received anda subsequent policy message to enforce a second data protection policyis not received within a predetermined duration from the time at whichthe first policy message is received; and wherein the security actioncomprises erasing or encrypting at least some of the data on the storageelement.
 2. The mobile communications device of claim 1, wherein thefirst data protection policy and the second data protection policy arethe same.
 3. The mobile communications device of claim 1, wherein thefirst data protection policy and the second data protection policy aredifferent.
 4. The mobile communications device of claim 1, wherein eachpolicy message is one of: (i) a message to initiate a new dataprotection policy, the message including the data protection policy tobe enforced; (ii) a message to maintain an existing data protectionpolicy, the message including the data protection policy to bemaintained or a confirmation that the existing policy is to be enforced;(iii) a message to modify an existing data protection policy, themessage including the modified data protection policy; and (iv) amessage to terminate an existing data protection policy, wherein if themessage is received within the predetermined duration, the securitymodule is operable to terminate the data protection policy beingenforced.
 5. The mobile communications device of claim 4, wherein eachpolicy message to terminate the data protection policy comprises amessage which includes no data protection policy or which includesinstructions to terminate the data protection policy being enforced. 6.The mobile communications device of claim 1, wherein each policy messagespecifies the predetermined duration between policy messages.
 7. Themobile communications device of claim 1, wherein the security module isoperable to determine if the first policy message received by the mobilecommunications device specifies that a first data protection policy isto be enforced; wherein the security module is further operable toinitiate a data protection timer for a first predetermined duration, ifthe security module determines that the first policy message specifiesthat the first data protection policy is to be enforced; wherein thesecurity module is operable to detect if a second policy message isreceived by the mobile communications device after the data protectiontimer has been initiated; wherein the security module is furtheroperable to determine if the second policy message is received withinthe first predetermined duration of the data protection timer and if thesecond policy message specifies that a second data protection policy isto be enforced; wherein the security module is further operable to resetthe data protection timer to a second predetermined duration if thesecond policy message specifies that the second data protection policyis to be enforced; wherein the security module is further operable toterminate the data protection policy if the second policy message doesnot specify that the second data protection policy is to be enforced;and wherein the security module is further operable to perform thesecurity action if the second policy message is not received within thefirst predetermined duration of the data protection timer.
 8. The mobilecommunications device of claim 7, wherein the first predeterminedduration is provided in the first policy message, and wherein the secondpredetermined duration is provided in the second policy message.
 9. Themobile communications device of claim 7, wherein one or more of thefirst predetermined duration and the second predetermined duration areconfigurable by a user of the mobile communications device.
 10. Themobile communications device of claim 7, wherein the first predeterminedduration is a first absolute time duration relative to a time when thefirst policy message is received, and wherein the second predeterminedduration is a second absolute time duration relative to a time when thesecond policy message is received.
 11. A mobile communications device,comprising: a processor; a communications subsystem connected to theprocessor operable to exchange signals with a wireless network and withthe processor; a storage element connected to the processor and having aplurality of application modules and data stored thereon, the datacomprising at least user application data associated with theapplication modules and service data including data for establishingcommunications with the wireless network; and a security module operableto detect if a delayed data protection initiate command is received bythe mobile communications device and initiate a delayed data protectiontimer for a first predetermined duration provided in the delayed dataprotection initiate command if a delayed data protection initiatecommand is received; wherein the security module operable to, after thedelayed data protection timer has been initiated, detect for: (i) entryof a password shared by the user and the mobile communications devicethrough the user input device within the first predetermined duration ofthe delayed data protection timer; (ii) receipt by the mobilecommunications device of a terminate command; or (iii) receipt by themobile communications device of a delay command; wherein the securitymodule operable to terminate the delayed data protection timer if entryof the password or receipt of the terminate command is detected withinthe first predetermined duration; wherein the security module operableto reset the delayed data protection timer for a second predeterminedduration provided in the delay command if receipt of a delay command isdetected within the first predetermined duration; and wherein thesecurity module operable to perform a security action comprising erasingor encrypting at least some of the data on the storage element if entryof the password, receipt of the terminate command, or receipt of a delaycommand is not detected within the first predetermined duration.
 12. Themobile communications device of claim 11, wherein the firstpredetermined duration of the delayed data protection timer is a firstabsolute time duration relative to a time that the delayed dataprotection timer is initiated, and wherein the second predeterminedduration of the delayed data protection timer is a second absolute timeduration relative to a time that the delayed data protection timer isinitiated.
 13. The mobile communications device of claim 11, wherein thesecond predetermined duration of the delayed data protection timer endsafter the first predetermined duration thereby extending the duration ofthe delayed data protection timer, or the second predetermined durationof the delayed data protection timer ends prior to the firstpredetermined duration thereby shortening the duration of the delayeddata protection timer.
 14. The mobile communications device of claim 1,wherein the security action comprises erasing at least some of the dataon the storage element and overwriting the portions of the storageelement where the erased data was located.
 15. The mobile communicationsdevice of claim 1, wherein the security action comprises erasingsubstantially all of the user application data from the storage element.16. The mobile communications device of claim 1, wherein the securityaction comprises erasing substantially all of the service data from thestorage element.
 17. The mobile communications device of claim 1,wherein the security action comprises encrypting at least some of thedata on the storage element.
 18. The mobile communications device ofclaim 1, wherein the security action comprises encrypting substantiallyall of the user application data from the storage element.
 19. Themobile communications device of claim 1, wherein the security actioncomprises encrypting substantially all of the service data from thestorage element.
 20. The mobile communications device of claim 1,wherein the service data further includes data required to establishcommunications through a wireless gateway connected to the wirelessnetwork.
 21. The mobile communications device of claim 1, wherein thesecurity module is configurable by the user to erase or encrypt the dataon the storage element, or selectively erase and encrypt portions of thedata on the storage element.
 22. A method for providing security on amobile communications device, the mobile communications device beingconfigured to communicate with a wireless communications network andincluding a storage element having data stored thereon, the methodcomprising the acts of: monitoring to detect policy messages received bythe mobile communications device; and if a first policy message toenforce a first data protection policy is received and a subsequentpolicy message to enforce a second data protection policy is notreceived within a predetermined duration from the time at which thefirst policy message is received, performing a security actioncomprising erasing or encrypting at least some of the data on thestorage element.
 23. The method of claim 22, wherein the first dataprotection policy and second data protection policy are the same ordifferent.
 24. The method of claim 22, wherein each policy message isone of: (i) a message to initiate a new data protection policy, themessage including the data protection policy to be enforced; (ii) amessage to maintain an existing data protection policy, the messageincluding the data protection policy to be maintained or a confirmationthat the existing policy is to be enforced; (iii) a message to modify anexisting data protection policy, the message including the modified dataprotection policy; and (iv) a message to terminate an existing dataprotection policy.
 25. The method of claim 22, further comprising: ifthe subsequent policy message to terminate an existing data protectionpolicy is received within the predetermined duration, terminating thedata protection policy being enforced.
 26. The method of claim 22,wherein each policy message to terminate the data protection policycomprises a message which includes no data protection policy or whichincludes instructions to terminate the data protection policy beingenforced.
 27. The method of claim 22, wherein each policy messagespecifies the predetermined duration between policy messages.
 28. Themethod of claim 22, wherein the act of monitoring to detect policymessages received comprises: monitoring to detect if a first policymessage is received by the mobile communications device; if a firstpolicy message is received, determining if the first policy messagespecifies a data protection policy is to be enforced; and if the policymessage specifies a data protection policy is to be enforced, initiatinga data protection timer for a first predetermined duration; andmonitoring, after a data protection timer has been initiated, to detectif a second policy message is received by the mobile communicationsdevice; if a second policy message is received within the firstpredetermined duration of data protection timer, determining if thesecond policy message specifies a data protection policy is to beenforced; if the second policy message specifies a data protectionpolicy is to be enforced, resetting the data protection timer to asecond predetermined duration; if the second policy message does notspecify a data protection policy is to be enforced, terminating the dataprotection policy; and if a second policy message is not received withinthe first predetermined duration of data protection timer, performingthe security action.
 29. The method of claim 28, wherein the firstpredetermined duration is provided in the first policy message, andwherein the second predetermined duration is provided in the secondpolicy message.
 30. The method of claim 28, wherein one or more of thefirst predetermined duration and the second predetermined duration areconfigurable by a user of the mobile communications device.
 31. Themethod of claim 28, wherein the first predetermined duration is a firstabsolute time duration relative to a time when the first policy messageis received, and wherein the second predetermined duration is a secondabsolute time duration relative to a time when the second policy messageis received.
 32. The method of claim 22, further comprising: monitoring,after a data protection timer has been initiated, to detect for apowering-off of the mobile communications device, and if a powering-offis detected, setting an auto-on time corresponding to the time remainingon the data protection timer, and if the mobile communications device ispowered-off at the auto-on time, powering-on the mobile communicationsdevice and performing the security action.
 33. The method of claim 32,wherein the monitoring for a powering-off of the mobile communicationsdevice is enabled and disabled by respective policy messages received onthe mobile communications device.
 34. The method of claim 22, furthercomprising: monitoring, after a data protection timer has beeninitiated, to determine if a battery level falls below a predeterminedthreshold, and if the battery power falls below the predeterminedthreshold, performing the security action.
 35. The method of claim 34,wherein the predetermined threshold is a level at which the mobilecommunications device will the operability of the communicationssubsystem to exchange signals with the wireless network.
 36. The methodof claim 34, wherein the predetermined threshold is a level below whichthe mobile communications device does not have enough power to performthe security action.
 37. The method of claim 34, wherein one of thepolicy messages comprises an instruction to enable or disable theoperability to determine if the battery level falls below thepredetermined threshold and to perform the security action if thebattery level falls below the predetermined threshold.
 38. The method ofclaim 22, further comprising: monitoring to detect for a locked state ofthe mobile communications device, initiating a lockout data protectiontimer for a predetermined duration upon detection of the locked state,and monitoring, after the lockout data protection timer has beeninitiated, to detect if a password shared by the user and the mobilecommunications device is entered through the user input device withinthe predetermined duration of the lockout data protection timer, ifentry of the password is detected within the predetermined duration,terminating the lockout data protection timer, and if entry of thepassword is not detected within the predetermined duration, performing asecurity action comprising erasing or encrypting at least some of thedata on the storage element.
 39. The method of claim 38, furthercomprising: monitoring for a trigger condition for initiating the lockedstate of the mobile communications device and initiating the lockedstate of the mobile communications device upon detection of the triggercondition.
 40. The method of claim 22, further comprising: if entry ofthe password is detected within the predetermined duration, terminatingthe locked state of the mobile communications device.
 41. The method ofclaim 39, wherein the trigger condition is one of: user inputinstructing the mobile communications device to initiate the lockedstate; the occurrence of a periodic interval; user inactivity for apredetermined duration of inactivity; loss of communication with thewireless network; holstering of the mobile communications device if thedevice is a holsterable device; and closing of the mobile communicationsdevice if the device is a flip-style device.
 42. The method of claim 38,wherein the predetermined duration of the lockout data protection timeris an absolute time duration relative to a time when the locked state isinitiated.
 43. The method of claim 38, wherein one of the policymessages comprises an instruction to enable or disable the detection forthe locked state of the mobile communications device and detection forentry of the password shared by the user and the mobile communicationsdevice is entered.
 44. The method of claim 43, wherein the predeterminedduration of the lockout data protection timer is provided in the policymessage enabling the detection for the locked state.
 45. The method ofclaim 43, further comprising: if the locked state has already beeninitiated, automatically initiating the lockout data protection timerupon receiving a policy message enabling the monitoring for the lockedstate, the lockout data protection timer being set to a predeterminedduration provided in the policy message enabling the monitoring for thelocked state.
 46. The method of claim 43, further comprising: if thelocked state has already been initiated, automatically terminating thelockout data protection timer upon receiving a policy message disablingthe monitoring for the locked state.
 47. The method of claim 38,wherein, in the locked state substantially all of the functionality ofthe mobile communications device is restricted, user input acceptedduring the locked state being substantially limited to entry of thepassword shared by the user and the mobile communications device throughthe user input device.
 48. The method of claim 38, wherein the act ofmonitoring to detect for the locked state comprises: monitoring todetect for a lack of communication through the communications subsystem,if the duration of the lack of communication through the communicationssubsystem exceeds a predetermined duration, initiating the locked stateof the mobile communications device.
 49. The method of claim 48, whereinone of the policy messages comprises an instruction to enable or disabledetection for the lack of communication and initiation of the lockedstate of the mobile communications device if the duration of the lack ofcommunication through the communications subsystem exceeds apredetermined duration.
 50. The method of claim 22, further comprisingthe acts of: monitoring to detect if a delayed data protection initiatecommand is received by the mobile communications device, and if thedelayed data protection initiate command is received, initiating adelayed data protection timer for a first predetermined durationprovided in the delayed data protection initiate command; andmonitoring, after the delayed data protection timer has been initiated,to detect for: (i) entry of a password shared by the user and the mobilecommunications device through the user input device within the firstpredetermined duration of the delayed data protection timer; (ii)receipt by the mobile communications device of a terminate command; or(iii) receipt by the mobile communications device of a delay command; ifentry of the password or receipt of the terminate command is detectedwithin the first predetermined duration, terminating the delayed dataprotection timer; if receipt of a delay command is detected within thefirst predetermined duration, resetting the delayed data protectiontimer for a second predetermined duration provided in the delay command;and if entry of the password, receipt of the terminate command, orreceipt of a delay command is not detected within the firstpredetermined duration, performing a security action comprising erasingor encrypting at least some of the data on the storage element.
 51. Themethod of claim 50, wherein the first predetermined duration of thedelayed data protection timer is a first absolute time duration relativeto a time that the delayed data protection timer is initiated, andwherein the second predetermined duration of the delayed data protectiontimer is a second absolute time duration relative to a time that thedelayed data protection timer is initiated.
 52. The method of claim 50,wherein the second predetermined duration of the delayed data protectiontimer ends after the first predetermined duration thereby extending theduration of the delayed data protection timer, or the secondpredetermined duration of the delayed data protection timer ends priorto the first predetermined duration thereby shortening the duration ofthe delayed data protection timer.
 53. A method for providing securityon a mobile communications device, the mobile communications devicebeing configured to communicate with a wireless communications networkand including a storage element having data stored thereon, the methodcomprising the acts of: monitoring to detect if a delayed dataprotection initiate command is received by the mobile communicationsdevice, and if the delayed data protection initiate command is received,initiating a delayed data protection timer for a first predeterminedduration provided in the delayed data protection initiate command;monitoring, after the delayed data protection timer has been initiated,to detect for: (i) entry of a password shared by the user and the mobilecommunications device through the user input device within the firstpredetermined duration of the delayed data protection timer; (ii)receipt by the mobile communications device of a terminate command; or(iii) receipt by the mobile communications device of a delay command; ifentry of the password or receipt of the terminate command is detectedwithin the first predetermined duration, terminating the delayed dataprotection timer; if receipt of a delay command is detected within thefirst predetermined duration, resetting the delayed data protectiontimer for a second predetermined duration provided in the delay command;and if entry of the password, receipt of the terminate command, orreceipt of a delay command is not detected within the firstpredetermined duration, performing a security action comprising erasingor encrypting at least some of the data on the storage element.
 54. Themethod of claim 53, wherein the first predetermined duration of thedelayed data protection timer is a first absolute time duration relativeto a time that the delayed data protection timer is initiated, andwherein the second predetermined duration of the delayed data protectiontimer is a second absolute time duration relative to a time that thedelayed data protection timer is initiated.
 55. The method of claim 53,wherein the second predetermined duration of the delayed data protectiontimer ends after the first predetermined duration thereby extending theduration of the delayed data protection timer, or the secondpredetermined duration of the delayed data protection timer ends priorto the first predetermined duration thereby shortening the duration ofthe delayed data protection timer.
 56. The method of 22, wherein thesecurity action comprises erasing at least some of the data on thestorage element and overwriting the portions of the storage elementwhere the erased data was located.
 57. The method of claim 22, whereinthe security action comprises erasing substantially all of the userapplication data from the storage element.
 58. The method of claim 22,wherein the security action comprises erasing substantially all of theservice data from the storage element.
 59. The method of claim 22,wherein the security action comprises encrypting at least some of thedata on the storage element.
 60. The method of claim 22, wherein thesecurity action comprises encrypting substantially all of the userapplication data from the storage element.
 61. The method of claim 22,wherein the security action comprises encrypting substantially all ofthe service data from the storage element.
 62. The method of claim 22,wherein the service data further includes data required to establishcommunications through a wireless gateway connected to the wirelessnetwork.
 63. The method of claim 22, wherein the security action isconfigurable by the user to erase or encrypt the data on the storageelement, or selectively erase and encrypt portions of the data on thestorage element.
 64. A server for providing security on at least onemobile communications device, the server being configured to communicatewith a plurality of mobile communications devices over a wirelessnetwork, the server comprising: a processor; a communications subsystemconnected to the processor for exchanging signals with the wirelessnetwork and with the processor; and a security module for sending policymessages to one or more of the devices in the plurality of mobilecommunications devices associated with the server at predeterminedintervals in accordance with a predetermined frequency, the policymessages including instructions for execution by the one or more of thedevices to enforce or terminate a data protection policy.
 65. The serverof claim 64, wherein the policy messages to enforce a data protectionpolicy comprise instructions for execution by the one or more of thedevices to perform a security action comprising erasing or encrypting atleast some of the data on the storage element if a subsequent policymessage to enforce a data protection policy is not received within apredetermined duration from the time at which a previous policy messageis received.
 66. The server of claim 64, wherein each policy message toenforce a data protection policy is one of: (i) a message to initiate adata protection policy, the message including the data protection policyto be enforced; (ii) a message to maintain an existing data protectionpolicy, the message including the data protection policy or aconfirmation that the existing policy is to be enforced; (iii) a messageto modify an existing data protection policy, the message including themodified data protection policy; or (iv) a message to terminate anexisting data protection policy is received within the predeterminedduration.
 67. The server of claim 66, wherein modified policy messagesare sent immediately upon a change in the respective data protectionpolicy.
 68. The server of claim 66, wherein modified policy messages aresent at a next interval.
 69. The server of claim 66, wherein the time atwhich modified policy messages are sent is configurable.
 70. The serverof claim 66, wherein each policy message to terminate an existing dataprotection policy comprises a message which includes no data protectionpolicy or which includes instructions to terminate a data protectionpolicy being enforced.
 71. The server of claim 66, wherein the policymessages to initiate or maintain a data protection policy specifies thepredetermined duration.
 72. The server of claim 66, wherein the policymessages to modify an existing data protection policy include a modifiedpredetermined duration.
 73. The server of claim 64, wherein thepredetermined duration is equal to the length of the interval betweensending policy messages.
 74. The server of claim 64, wherein thepredetermined frequency at which the policy messages are sent isconfigurable.
 75. The server of claim 64, wherein the policy messagesare sent globally to all mobile communications devices associated withthe server, to groups or classes of mobile communications devicesassociated with the server, or to one or more individual mobilecommunications devices associated with the server.
 76. The server ofclaim 64, wherein the policy messages comprise instructions forexecution by the one or more of the devices to perform monitoring, todetect if a first policy message is received by the mobilecommunications device; if a first policy message is received,determining if the first policy message specifies a data protectionpolicy is to be enforced; and if the policy message specifies a dataprotection policy is to be enforced, initiating a data protection timerfor a first predetermined duration; and monitoring, after a dataprotection timer has been initiated, to detect if a second policymessage is received by the mobile communications device; if a secondpolicy message is received within the first predetermined duration ofdata protection timer, determining if the second policy messagespecifies a data protection policy is to be enforced; if the secondpolicy message specifies a data protection policy is to be enforced,resetting the data protection timer to a second predetermined duration;if the second policy message does not specify a data protection policyis to be enforced, terminating the data protection policy; and if asecond policy message is not received within the first predeterminedduration of data protection timer, performing a security actioncomprising erasing or encrypting at least some of the data on thestorage element.
 77. The server of claim 76, wherein the policy messagescomprise instructions for execution by the one or more of the devices toperform monitoring, after a data protection timer has been initiated, todetect for a powering-off of the mobile communications device, and if apowering-off is detected, setting an auto-on time corresponding to thetime remaining on the data protection timer, and if the mobilecommunications device is powered-off at the auto-on time, powering-onthe mobile communications device and performing a security actioncomprising erasing or encrypting at least some of the data on thestorage element.
 78. The server of claim 76, wherein the policy messagescomprise instructions for execution by the one or more of the devices toperform monitoring, after a data protection timer has been initiated, todetermine if a battery level falls below a predetermined threshold, andif the battery power falls below the predetermined threshold, performinga security action comprising erasing or encrypting at least some of thedata on the storage element.
 79. The server of claim 76, wherein thepolicy messages comprise instructions for execution by the one or moreof the devices to perform monitoring to detect for a locked state of themobile communications device, initiating a lockout data protection timerfor a predetermined duration upon detection of the locked state, andmonitoring, after the lockout data protection timer has been initiated,to detect if a password shared by the user and the mobile communicationsdevice is entered through the user input device within the predeterminedduration of the lockout data protection timer, if entry of the passwordis detected within the predetermined duration, terminating the lockoutdata protection timer, and if entry of the password is not detectedwithin the predetermined duration, performing a security actioncomprising erasing or encrypting at least some of the data on thestorage element.
 80. The server of claim 64, wherein the policy messagescomprise instructions for execution by the one or more of the devices toperform: monitoring to detect if a delayed data protection initiatecommand is received by the mobile communications device, and if adelayed data protection initiate command is received, initiating adelayed data protection timer for a first predetermined durationprovided in the delayed data protection initiate command; andmonitoring, after the delayed data protection timer has been initiated,to detect for: (i) entry of a password shared by the user and the mobilecommunications device through the user input device within the firstpredetermined duration of the delayed data protection timer; (ii)receipt by the mobile communications device of a terminate command; or(iii) receipt by the mobile communications device of a delay command; ifentry of the password or receipt of the terminate command is detectedwithin the first predetermined duration, terminating the delayed dataprotection timer; if receipt of a delay command is detected within thefirst predetermined duration, resetting the delayed data protectiontimer for a second predetermined duration provided in the delay command;and if entry of the password, receipt of the terminate command, orreceipt of a delay command is not detected within the firstpredetermined duration, performing a security action comprising erasingor encrypting at least some of the data on the storage element.
 81. Theserver of claim 80, wherein the first predetermined duration of thedelayed data protection timer is a first absolute time duration relativeto a time that the delayed data protection timer is initiated, andwherein the second predetermined duration of the delayed data protectiontimer is a second absolute time duration relative to a time that thedelayed data protection timer is initiated.
 82. The server of claim 80,wherein the second predetermined duration of the delayed data protectiontimer ends after the first predetermined duration thereby extending theduration of the delayed data protection timer, or the secondpredetermined duration of the delayed data protection timer ends priorto the first predetermined duration thereby shortening the duration ofthe delayed data protection timer.
 83. The server of claim 64, whereinthe security action comprises erasing at least some of the data on thestorage element and overwriting the portions of the storage elementwhere the erased data was located.
 84. The server of claim 64, whereinthe security action comprises encrypting at least some of the data onthe storage element.
 85. A mobile communications device, comprising: aprocessor; a communications subsystem connected to the processoroperable to exchange signals with a wireless network and with theprocessor; a storage element connected to the processor and having aplurality of application modules and data stored thereon, the datacomprising at least user application data associated with theapplication modules and service data including data for establishingcommunications with the wireless network; and a security module operableto detect policy messages received by the mobile communications device,wherein the security module is operable to perform a security action ifa first policy message to enforce a first data protection policy isreceived and a subsequent policy message to enforce a second dataprotection policy is not received within a first predetermined durationfrom a time at which the first policy message is received; wherein thesecurity action comprises erasing or encrypting at least some of thedata on the storage element; wherein the security module is operable todetermine if a battery level falls below a predetermined threshold;wherein the security module is operable to perform the security actionif the battery power falls below the predetermined threshold; whereinthe security module is operable to detect if a delayed data protectioninitiate command is received by the mobile communications device;wherein the security module is operable to initiate a delayed dataprotection timer for a second predetermined duration if the delayed dataprotection initiate command is received; wherein the security module isoperable to, after the delayed data protection timer has been initiated,detect: (i) entry of a password shared by the user and the mobilecommunications device through a user input device within the firstpredetermined duration of the delayed data protection timer; (ii)receipt by the mobile communications device of a terminate command; or(iii) receipt by the mobile communications device of a delay command;wherein the security module is operable to terminate the delayed dataprotection timer if entry of the password or receipt of the terminatecommand is detected within the second predetermined duration; whereinthe security module is operable to reset the delayed data protectiontimer for a third predetermined duration provided in the delay commandif receipt of a delay command is detected within the secondpredetermined duration; and wherein the security module is operable toperform the security action if entry of the password, receipt of theterminate command, or receipt of a delay command is not detected withinthe second predetermined duration.
 86. A communications system forproviding security on a mobile communications device, comprising: one ormore mobile communications devices, each comprising: a processor; acommunications subsystem connected to the processor operable to exchangesignals with a wireless network and with the processor; a storageelement connected to the processor and having a plurality of applicationmodules and data stored thereon, the data comprising at least userapplication data associated with the application modules and servicedata including data for establishing communications with the wirelessnetwork; and a security module operable to detect policy messagesreceived by the mobile communications device, wherein the securitymodule is further operable to perform a security action if a firstpolicy message to enforce a first data protection policy is received anda subsequent policy message to enforce a second data protection policyis not received within a predetermined duration from a time at which thefirst policy message is received; and wherein the security actioncomprises erasing or encrypting at least some of the data on the storageelement; and a server comprising: a processor; a communicationssubsystem connected to the processor for exchanging signals with thewireless network and with the processor; and a security module forsending policy messages to the one or more mobile communications devicesat predetermined intervals in accordance with a predetermined frequency,the policy messages including instructions for execution by the one ormore of the mobile communications devices to enforce or terminate a dataprotection policy.
 87. A computer program product comprising amachine-readable medium tangibly embodying instructions executable on amobile communications device for providing security on the mobilecommunications device, the machine-readable instructions comprising:code for monitoring to detect policy messages received by the mobilecommunications device; and code for performing a security actioncomprising erasing or encrypting at least some of the data on thestorage element if a first policy message to enforce a first dataprotection is received and a subsequent policy message to enforce asecond data protection policy is not received within a predeterminedduration from a time at which the first policy message is received.